EU flag
PHOTO: Klaas Brumann

When the world opens for business on May 25, 2018, the European Union’s General Data Privacy Regulation will be in effect, permanently changing the way businesses around the world collect, process, and store data on EU prospects and customers. Early indications suggest that many organizations don’t fully grasp the magnitude of the new legislation or the extent of its requirements:

  • When Veritas conducted a survey of organizations from around the globe, 31 percent indicated that they were already GDPR compliant. However, when questions turned to specific requirements, it became clear that many of them fell short. In fact, 98 percent of the organizations that initially believed themselves to be compliant were mistaken.
  • In a study conducted by Varonis, 38 percent of respondents indicated that their organizations don’t view becoming compliant by the May 25 deadline as a priority.
  • In another survey conducted by TrustArc, 61 percent of respondents reported that they hadn’t begun implementation of their plan for compliance, and 4 percent of that group hadn’t even started the planning process.
  • Gartner predicts that, by the end of 2018, more than half of affected organizations will still be non-compliant.

What Is the GDPR?

The GDPR is the European Union’s General Data Protection Regulation. Its purpose is to “harmonize data privacy laws across Europe, to protect and empower all EU residents’ data privacy, and to reshape the way organizations across the region approach data privacy for EU residents wherever they work in the world.”

Who Is Covered by the GDPR?

The law applies to any organization conducting business in the EU as well as to organizations outside the EU that collect, process, or store information on EU citizens as well as on non-citizens while they reside in the EU.

  • Non-EU companies that employ EU citizens (regardless of location)
  • Non-EU companies that collect, process, or store data on EU citizens and/or residents (even, for example, an IP address for a single individual)

In general, it would be a mistake for organizations to simply assume that they’re not affected because they have no physical presence in the EU.

Editor's Note: This is the first in a four part series. Tomorrow we'll look into the implications of the GDPR for your organization. Read more of Auvray and Podnar's thoughts on the GDPR in this free whitepaper.

What’s Different About This Legislation?

The GDPR replaces the Data Protection Initiative of 95/46/EC. Key changes include:

Increased scope

The GDPR greatly extends the jurisdiction of the previous law. Whereas the Data Protection Initiative was somewhat ambiguous as to whether it applied outside of the EU, the GDPR makes it clear that geographic location is not a factor. The law applies to data belonging to any EU citizen or current resident, regardless of whether the related activity takes place within the EU.

Increased penalties

Non-compliant organizations can be fined up to 4 percent of (global) annual sales or €20 million, (U.S. $24 million), whichever is greater. Fines will be levied on a tiered approach in accordance with the seriousness of the violation.

Explicit consent

Organizations must obtain explicit permission to collect, process or store personal data using language that clearly describes how the data will be used. Organizations will no longer be able to cloak the terms of consent in hard-to-understand, technical language or to rely on consumers to opt-out of unwanted communications. Moreover, consent must be use-specific, meaning that data collected for one reason (downloading a white paper, for example) can’t be used for another purpose (such as targeting marketing emails) and that organizations cannot collect more data than is necessary for the stated purpose.

In addition, organizations must make it easy for EU residents to withdraw their consent at any time.

Breach notification

Organizations must issue all required notifications within 72 hours of the time they become aware of a breach. Required notifications vary by jurisdiction but typically include regulatory authorities, consumers, credit reporting agencies, law enforcement, etc. Organizations must also provide credit monitoring to consumers whose data was compromised.

Right to access

Citizens and current EU residents have the right to know what data is being collected, how it’s being used, where it’s being processed, and who has access to it. In a significant shift toward empowering consumers, organizations (upon request) must provide an electronic copy, in machine-readable format, of the collected data free of charge. Users have the right to request that any incorrect information about them be corrected.

Right to be forgotten

In addition to the right to withdraw consent, consumers have the right to demand that their data be erased and that, in some situations, third parties cease any processing of their data.

Data portability

This provision of the GDPR introduces the concept of portability, which means that consumers have the right to request their data in an electronic format and to then transfer that data to another processor.

Privacy by design

The concept of privacy by design isn’t new, but the GDPR is the first piece of legislation to make it a requirement. It means that, instead of being a retroactive “patch,” privacy should be an integral, ground-up part of digital business processes. One example would be collecting only as much data as is truly necessary rather than collecting as much as is possible.

Data protection officers

This is one of the few areas in which the GDPR makes things somewhat easier. Under the older legislation, the requirements for logging data processing activities were cumbersome and varied by jurisdiction. Under the GDPR, those notifications have been replaced with internal record-keeping requirements, and some organizations -- those whose core activities involve the handling of certain amounts or types of sensitive personal data — must appoint qualified Data Protection Officers (DPOs) to oversee all related activities. And, because it’s necessary for DPOs to be objective, they must be granted special employment protections.